Nice find. Two questions:
1) How difficult would it be to pass the CFG check?
2) If you were to patch this bug, what would you do? It looks like a type confusion bug so enforcing a type check of the object pointed to by rcx?
Thanks!

1) I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline).
2) The first step would be to determine why the type confusion occurred in the first place. Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause. My hypothesis, given that there are 2 types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two.

I cannot confirm this issue.
On Edge I get the same screen as 'jou...@jabbari.io' (comment #8).
And using IE (Version 11.1000.15025.0) the browser only shows a notification about IE having restricted the ActiveX controls.
The Browser however does not crash. It only crashes if the user activates those ActiveX-Controls.

What I don't understand is: Microsoft said Edge has been written new from the ground up. It only uses the old mshtml rendering engine when the html document runs in specific doc types. Since ur code doesn't specify a doctype does that mean it always falls back to the potentially less secure old code path? If so, Edge is not safer than the old IE as MS claims.